Dependency Audits

composer audit checks installed or locked packages against known security advisories and reports abandoned packages. It helps teams find dependency risk early.

Working Knowledge

• Run audits locally after dependency changes and in CI on a schedule.
• Investigate advisories and abandoned packages rather than treating audit as a checkbox.
• Update narrowly when possible and test the result.
• Record accepted temporary risk with ownership and a remediation date.
• Remember that audit data cannot detect every vulnerability.

Run The Audit

composer audit

Run it after dependency changes and on a schedule in CI. Dependency risk changes when new advisories are published, even if your repository has not changed.

Triage The Result

For each advisory, identify the affected package and versions, whether your application uses the vulnerable feature, the available fixed version, the update blast radius, and the owner for remediation.

An abandoned package warning is not automatically an emergency, but it is a maintenance signal. Decide whether a supported replacement exists and how migration will be tested.

Record Temporary Exceptions

If an update cannot land immediately, record the reason, compensating controls, owner, and review date. Avoid permanent silent ignores.

In Application Work

Dependency risk changes without source-code changes. Scheduled audits and update workflow matter even during quiet development periods.

What To Check

Before moving on, make sure you can run an audit, triage advisories, respond to abandoned packages, and document time-limited exceptions.